# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Contributor: Will Sinatra <wpsinatra@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssh
pkgver=9.7_p1
_myver=${pkgver%_*}${pkgver#*_}
pkgrel=3
pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.com/portable.html"
arch="all"
license="SSH-OpenSSH"
options="suid"
depends="openssh-client openssh-sftp-server openssh-server"
makedepends_build="autoconf automake"
makedepends_host="
	linux-headers
	openssl-dev>3
	zlib-dev
	"
#
# NOTE: if you edit this file, please make sure that it builds with `BOOTSTRAP=1 abuild -r`
#
# build bootstrap sshd without libedit, linux-pam and krb5
if [ -z "$BOOTSTRAP" ]; then
	makedepends_host="$makedepends_host libedit-dev linux-pam-dev krb5-dev libfido2-dev
		utmps-dev utmps-static"
	subpackages="$pkgname-client-krb5:_client_krb5
		$pkgname-server-pam:_server_with_flavor
		$pkgname-server-krb5:_server_with_flavor
		$pkgname-sk-helper:_ssh_sk_helper"
fi

makedepends="$makedepends_build $makedepends_host"

subpackages="$pkgname-dbg
	$subpackages
	$pkgname-doc
	$pkgname-keygen
	$pkgname-client-default:_client_default
	$pkgname-client-common:_client_common
	$pkgname-keysign
	$pkgname-sftp-server:_sftp_server
	$pkgname-server-common:_server_common:noarch
	$pkgname-server
	$pkgname-server-common-openrc
	"

source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar.gz
	fix-utmp.patch
	disable-forwarding-by-default.patch
	avoid-redefined-warnings-when-building-with-utmps.patch
	default-internal-sftp.patch
	include-config-dir.patch

	sshd.initd
	sshd.confd
	sshd.pam
	"

# secfixes:
#   9.6_p1-r0:
#     - CVE-2023-48795
#   8.8_p1-r0:
#     - CVE-2021-41617
#   8.5_p1-r0:
#     - CVE-2021-28041
#   8.4_p1-r0:
#     - CVE-2020-14145
#   7.9_p1-r3:
#     - CVE-2018-20685
#     - CVE-2019-6109
#     - CVE-2019-6111
#   7.7_p1-r4:
#     - CVE-2018-15473
#   7.5_p1-r8:
#     - CVE-2017-15906
#   7.4_p1-r0:
#     - CVE-2016-10009
#     - CVE-2016-10010
#     - CVE-2016-10011
#     - CVE-2016-10012
#   0:
#     - CVE-2023-38408

builddir="$srcdir"/$pkgname-$_myver

_do_configure() {
	autoreconf
	local _with_libedit="--with-libedit"
	if [ -n "$BOOTSTRAP" ]; then
		_with_libedit="--without-libedit"
	fi

	local _extra_cflags="" _extra_libs=""
	if [ -z "$BOOTSTRAP" ]; then
		_extra_cflags="$(pkg-config --cflags --static utmps)"
		_extra_libs="$(pkg-config --libs --static utmps)"
	fi

	./configure \
		--build=$CBUILD \
		--host=$CHOST \
		--prefix=/usr \
		--sysconfdir=/etc/ssh \
		--libexecdir=/usr/lib/ssh \
		--mandir=/usr/share/man \
		--with-pid-dir=/run \
		--with-mantype=doc \
		--with-cflags="$CFLAGS $_extra_cflags" \
		--with-libs="$_extra_libs" \
		--with-ldflags="$LDFLAGS" \
		--disable-utmp \
		--disable-wtmp \
		--disable-lastlog \
		--disable-strip \
		--with-privsep-path=/var/empty \
		--with-xauth=/usr/bin/xauth \
		--with-default-path='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
		--with-privsep-user=sshd \
		--with-ssl-engine \
		$_with_libedit \
		"$@"
}

build() {
	export LD="$CC"
	export TEST_SSH_UTF8=no # utf8 test fails
	local _with_security_key_builtin=

	if [ -z "$BOOTSTRAP" ]; then
		msg "Building openssh with pam support..."
		_do_configure --without-kerberos5 --with-pam --with-pam-service=sshd
		make
		mv sshd sshd.pam

		msg "Building openssh with kerberos5"
		_do_configure --with-kerberos5 --with-pam
		make
		mv sshd sshd.krb5
		mv ssh ssh.krb5

		_with_security_key_builtin="--with-security-key-builtin"
	fi

	msg "Building openssh without pam and kerberos5"
	_do_configure --without-kerberos5 --without-pam $_with_security_key_builtin
	make
}

check() {
	# Run all tests except the t-exec tests which fail on the
	# builders for some reason but pass locally (needs further
	# investigation).
	TEST_SSH_UNSAFE_PERMISSIONS=1 make -j1 file-tests interop-tests unit

	if [ -z "$BOOTSTRAP" ]; then
		msg "verify pam build"
		scanelf -n sshd.pam | grep libpam

		msg "verify krb5 build"
		scanelf -n sshd.krb5 | grep krb5
		scanelf -n ssh.krb5 | grep krb5
	fi

	msg "verify minimal build"
	for i in sshd ssh; do
		if scanelf -n $i | grep -E '(libpam|krb5)'; then
			error "$i should not be linked to libpam or libkrb5"
			return 1
		fi
	done
}

package() {
	make DESTDIR="$pkgdir" install
	if [ -z "$BOOTSTRAP" ]; then
		install -m755 -t "$pkgdir"/usr/sbin/ sshd.pam sshd.krb5
		install -m755 -t "$pkgdir"/usr/bin/ ssh.krb5
		install -Dm644 "$srcdir"/sshd.pam "$pkgdir"/etc/pam.d/sshd
	fi

	mkdir -p "$pkgdir"/var/empty
	mkdir -p "$pkgdir"/etc/ssh/ssh_config.d
	mkdir -p "$pkgdir"/etc/ssh/sshd_config.d

	install -D -m755 "$srcdir"/sshd.initd \
		"$pkgdir"/etc/init.d/sshd
	install -D -m644 "$srcdir"/sshd.confd \
		"$pkgdir"/etc/conf.d/sshd
	install -Dm644 "$builddir"/contrib/ssh-copy-id.1 \
		"$pkgdir"/usr/share/man/man1/ssh-copy-id.1
	install -Dm755 "$builddir"/contrib/findssl.sh \
		"$pkgdir"/usr/bin/findssl.sh
	install -Dm755 "$builddir"/contrib/ssh-copy-id \
		"$pkgdir"/usr/bin/ssh-copy-id
	install -Dm755	"$builddir"/ssh-pkcs11-helper \
		"$pkgdir"/usr/bin/ssh-pkcs11-helper
}

keygen() {
	pkgdesc="ssh helper program for generating keys"
	depends="libcrypto3>=3.1.0"

	amove usr/bin/ssh-keygen
}

_client_krb5() {
	pkgdesc="OpenBSD's SSH client with kerberos support"
	depends="openssh-keygen=$pkgver-r$pkgrel openssh-client-common=$pkgver-r$pkgrel !openssh-client-default"
	provides="openssh-client=$pkgver-r$pkgrel"
	provider_priority=1

	amove usr/bin/ssh.krb5
	mv "$subpkgdir"/usr/bin/ssh.krb5 "$subpkgdir"/usr/bin/ssh
}

_ssh_sk_helper() {
	pkgdesc="OpenSSH libfido2 security key helper"
	depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel"
	amove usr/lib/ssh/ssh-sk-helper
}

_client_default() {
	pkgdesc="OpenBSD's SSH client"
	depends="openssh-keygen=$pkgver-r$pkgrel openssh-client-common=$pkgver-r$pkgrel !openssh-client-krb5"
	provides="openssh-client=$pkgver-r$pkgrel"
	provider_priority=2

	amove usr/bin/ssh
}

_client_common() {
	pkgdesc="OpenBSD's SSH client common files"
	depends="libcrypto3>=3.1.0"

	install -d "$subpkgdir"/usr/lib/ssh \
		"$subpkgdir"/var/empty

	amove usr/bin
	amove etc/ssh/ssh_config
	amove etc/ssh/ssh_config.d
	amove etc/ssh/moduli
}

keysign() {
	pkgdesc="ssh helper program for host-based authentication"
	depends="openssh-client=$pkgver-r$pkgrel libcrypto3>=3.1.0"

	amove usr/lib/ssh/ssh-keysign
}

_sftp_server() {
	pkgdesc="ssh sftp server module"
	depends=""

	amove usr/lib/ssh/sftp-server
}

_server_common() {
	pkgdesc="OpenSSH server configuration files"
	depends=""

	amove etc/ssh/sshd_config
	amove etc/ssh/sshd_config.d
}

server() {
	pkgdesc="OpenSSH server"
	depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel"

	amove usr/sbin/sshd
}

_server_with_flavor() {
	local _flavor="${subpkgname#openssh-server-}"
	pkgdesc="OpenSSH server with $_flavor support"
	depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel"

	# pam flavor also ships a pam entry
	if [ "$_flavor" = "pam" ]; then
		amove etc/pam.d/sshd
	fi

	amove usr/sbin/sshd.$_flavor
}

sha512sums="
0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55  openssh-9.7p1.tar.gz
b10a9eb167cfbb23b144fdb03f30a0363be9a715ceb3c202c971ec4f36160e434cc6bbad91d0e49106189e07152067f7e227df28b5a1b82f3901cb36cba321b5  fix-utmp.patch
8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de  disable-forwarding-by-default.patch
e85754b2b6c4c37b432d166e63d6293e58c9c8bb6ebd8d3527c83afa2337f14c06d6a4e008ffcc0afd7dc3409e960b89c1dde41d2543c4be7d4813d477ff3a5e  avoid-redefined-warnings-when-building-with-utmps.patch
1fb55aae445dfd9ededeba1f204a0c3e4a752128ad0a388f473ace074e68b040112f309192243621fd4f16b0d1cce4f083612b1639c3e18166abf92babe52c93  default-internal-sftp.patch
ff73563e6018e94a1b2dd320cf32426f3945c0f4aa509eeb95783c34dd5c5c8dec91f6d71e4d538c4735539a4d8c724cf61d71513887d8a96b84109ae3a5562e  include-config-dir.patch
2cab1b844d4efb53f848308b4aaedbe74888d2e85bcb2e4dfdae7c18ac3ecea707829072a4276fbe90dfe2f537bbf48127d96f29ec5154e96c0bfb7437910d53  sshd.initd
be7dd5f6d319b2e03528525a66a58310d43444606713786b913a17a0fd9311869181d0fb7927a185d71d392674857dea3c97b6b8284886227d47b36193471a09  sshd.confd
5d3b62d724d930bafb6263d0600828771e667751cb5ba5070414dce7c3d0559bebdfb05960b721cfd20c81d3ad824291ffb10498798171c8bbbcbf389b706265  sshd.pam
"
